Device compliance policies in Microsoft Intune
|Applies to: Intune in the classic portal|
|Looking for documentation about Intune in the Azure portal? Go here.|
What is a compliance policy?
To help protect company data, you need to make sure that the devices used to access company apps and data comply with certain rules. These rules might include using a PIN to access devices and encrypting data stored on devices. A set of such rules is called a compliance policy.
How should I use compliance policies?
You can use compliance policies with conditional access policies to allow only devices that comply with compliance policy rules to access email and other services. To learn how the two policies can be used together, read the Restrict access to email and O365 services article.
You can also use compliance policies independently of conditional access. When you use compliance policies independently, the targeted devices are evaluated and reported with their compliance status. For example, you might want to report about how many devices are not encrypted, or which devices are jailbroken or rooted. But when you use compliance policies independently, no access restrictions to company resources are in place.
You deploy compliance policies to users. When a compliance policy is deployed to a user, the user's devices are checked for compliance. To learn about how long it takes for mobile devices to get a policy after the policy is deployed, see Manage settings and features on your devices.
The following table lists the device types that compliance policies support. The table also describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.
|Policy setting||Windows 8.1 and later||Windows Phone 8.1 and later||iOS 8.0 and later||Android 4.0 and later
Samsung Knox Standard 4.0 and later
|PIN or password configuration||Remediated||Remediated||Remediated||Quarantined|
|Device encryption||Not applicable||Remediated||Remediated (by setting PIN)||Quarantined|
|Jailbroken or rooted device||Not applicable||Not applicable||Quarantined (not a setting)||Quarantined (not a setting)|
|Email profile||Not applicable||Not applicable||Quarantined||Not applicable|
|Minimum OS version||Quarantined||Quarantined||Quarantined||Quarantined|
|Maximum OS version||Quarantined||Quarantined||Quarantined||Quarantined|
|Windows health attestation||Quarantined: Windows 10 and Windows 10 Mobile
Not applicable: Windows 8.1
|Not applicable||Not applicable||Not applicable|
Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not force the user to encrypt the device.) When the devices is not compliant, the following actions take place:
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.